CWE-610: Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
An adversary could read or modify data, depending on how the resource is intended to be used.
Scope
Impact
Likelihood
HighAn adversary that can supply a reference to an unintended resource can potentially access a resource that they do not have privileges for, thus bypassing existing access control mechanisms.
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.
The problem with this Java servlet code is that an attacker could use the RedirectServlet as part of an e-mail phishing scam to redirect users to a malicious site. An attacker could send an HTML formatted e-mail directing the user to log into their account by including in the e-mail the following link:
The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.
The problem with this Java servlet code is that an attacker could use the RedirectServlet as part of an e-mail phishing scam to redirect users to a malicious site. An attacker could send an HTML formatted e-mail directing the user to log into their account by including in the e-mail the following link:
Observed CVE Examples (6)
An email client does not block loading of remote objects in a nested document.
View DetailsChain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24)
View DetailsCryptography API uses unsafe reflection when deserializing a private key
View DetailsChain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601)
View DetailsDatabase system allows attackers to bypass sandbox restrictions by using the Reflection API.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-610: Externally Controlled Reference to a Resource in Another Sphere?+
CWE-610: Externally Controlled Reference to a Resource in Another Sphere is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
What are the security consequences of Externally Controlled Reference to a Resource in Another Sphere?+
If exploited, CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) it can compromise Confidentiality, Integrity and Access Control, leading to outcomes such as Read Application Data, Modify Application Data and Gain Privileges or Assume Identity.
What are real-world examples of Externally Controlled Reference to a Resource in Another Sphere?+
MITRE documents real CVEs mapped to CWE-610, including CVE-2022-3032, CVE-2022-45918, CVE-2018-1000613, CVE-2020-11053 and CVE-2022-42745. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-610 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.